Encrypted secrets are used to store sensitive information, such as passwords, tokens, and ssh keys directly in your configuration file as an encrypted string. Each secret is represented as a yaml document in your configuration file.

You can use the command line tools to encrypt secrets. Each secret is encrypted with a per-repository encryption key using aesgcm. This key never leaves the server environment.

Example command to encrypt the secret:

$ drone encrypt <repository> <secret>

$ drone encrypt octocat/hello-world top-secret-password
hl3v+FODjduX0UpXBHgYzPzVTppQblg51CVgCbgDk4U=

Example configuration with encrypted secrets:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

kind: pipeline
name: default

steps:
- name: build
  image: alpine
  environment:
    USERNAME:
      from_secret: username

---
kind: secret
name: username
data: hl3v+FODjduX0UpXBHgYzPzVTppQblg51CVgCbgDk4U=

...

Pull Requests

Secrets are not exposed to pull requests that originate from forks. This prevents a bad actor from sending a pull request and attempting to expose your secrets.